To help you better understand and derive implications
about the true nature of a security event when it occurs on an endpoint,
you can configure forensics collection options. At the time of a
security event, Traps can report the files that were accessed, modules
that were loaded into memory, URIs that were accessed, and ancestor
processes of the process that triggered the security event.
Configure a new forensics rule.
and then click
Define forensics collection preferences.
then configure preferences in the following fields:
collect information about files that are loaded in memory under
the attacked process for in-depth event inspection.
Report Loaded Modules
report which PE image files are loaded on the system at the time
of a security event.
Report Accessed URI
collect network resources that were accessed at the time of the
security event and uniform resource identifier (URI) information
from web plug-ins, media players, and mail clients.
Report Ancestor Processes
can run Java applets as a process child, and even as a process child
of a process child and so on. Select
record information about the ancestry processes from browsers, non-browsers,
and Java applet child processes to allow you to better understand
the root of an event.
Alternatively, for each data type,
forensics collection or
settings from the preceding rule in the rule hierarchy.
Add Conditions to
the rule. By default, a new rule does not contain any conditions.
To specify a condition, select the
select the condition in the Conditions list, and then
to the Selected Conditions list. Repeat this step to add more conditions,
as needed. You can also define new Conditions.
To define a smaller subset of target objects, select the
and then enter one or more
in the Include or Exclude areas.
The Endpoint Security Manager queries Active Directory to verify
the users, computers, groups, or organizational units. The ESM Console
also offers autocompletion as you type for existing endpoints and
existing virtual groups.
Review the rule name and description. The ESM Console automatically
generates the rule name and description based on the rule details
but permits you to change these fields, if needed.
To override the autogenerated name, select the
Activate automatic description
and then enter a rule name and description of your choice.
Save the forensics rule.
Do either of the following:
rule without activating it. This option is only available for inactive,
cloned, or new rules. When you are ready to activate the rule, select
the rule from the
and then click
the rule to activate it immediately.
saving or applying a rule, you can return to the